free encryption certificates and encrypting elgg sites

i have read some of the threads here where questions have been raised about the wisest approach for using encryption and certificates with elgg. the conclusion is that encryption is necessary for logins as a minimum. 

since, like domain names, the 'trust' industry has already been hijacked by ones i don't trust; who offer to sell certificates of trust and the browsers offer alerts that your site is not 'trusted' if you use a 'self generated' certificate.. does anyone here have any ideas i may not be aware of, of how to run a free certificate without triggering the browser 'UNSAFE SITE' warnings?

i know there are one or two groups that claim to offer free certificates.. without naming names, i attempted to begin setting up a certificate with them and one group only offered the service if you are within the usa border and the other (who i spoked to by phone) seemed highly untrustworthy themselves!

i really don't see how paying a group that you have never met to issue you with their brand of certificate is any type of guarantee of security at all. with this system in place, sites that attempt to activate encryption for free, even with encryption certificates that are of greater ability than the 'paid for' ones, will be identified as being 'threats'.. when in reality they are safer.. i am wondering if this is actually part of the plot to de-rail encryption algorithms and thus to prevent real encryption being used, while earning large amounts of cash.

  • Thanks for the information : ) its all tricks and games lol

  • here's the site for the convergence project that aims to delete certificate authorities such as comodo etc.
    http://convergence.io/

  • Maybe I am reading this not right, but you want a SSL certificate on a dynamic IP address ?

    How can that be certified and add any security level to users ?

    But maybe the internet community has sufficient trust in DNS itself, but a self signed certificate should always present a warning to users. There is no trusted third party involved to validate your certificate. And that is the whole idea. I trust you URA (even without knowing your real name :-), but why would the rest of the world do that ?

    So I guess, you need a fixed IP address and there must be some free SSL providers, but even if they don't exist, you can buy them at some very low rates. It is not a scam, it is just a way to make internet a bit safer and yes companies can make money out of it. So what ? They are providing a service.

  • @gerard - the issue here is not about using dynamic IP addresses - that is just another point that came up in this thread.

    this is a complex topic and i suggest watching some of the videos for more complete information. the 'trusted third parties' do not want you to know what these videos show since they know that their days are numbered.

  • Oke, I see. That is indeed an issue.  I published an article about it in 2011 , but nobody seems to care. My government and some banks where hacked using this method and still nobody cared. I actually talked to the hacked banks CIO and they still wanted to deal with it themselves. And 6 months later, they were hacked again... :-)

    http://www.centillien.com/news/view/49875/serieus-veiligheidslek-in-ssl 

    I am sorry it is in Dutch, but it has the same message as the videos. It is not due to comodo or any other ssl provider. It is part of the HTTPS protocol that allows a proxy to intercept the connection, decrypt and forward the traffic to the destiny server without noticing the intercept.

    I know a solution, but as long as nobody cares, why publish it ? Let's wait and see if any serious damage will occur. But you URA can sleep well, there are bigger fish to catch....

  • its all about free ssl basically or the cheapest way to get ssl for your site : )

  • @UK, no it is not about that.

  • multiple issues exist here.. one is the man in the middle attack vector using sslsniff or other code and yes, that is one which is due to the inherent failure of the ssl design.

    other issues are that the CA authorities are not well run, make lots of cash for doing very little and ultimately dis-empower us - the ones who are doing the trusting and running the sites. that model reflects the pyramid model that is not this planet's true destiny path and never was - yet has prevailed in many of societies structures.

    if you watch through the various defcom videos you will see the variety of amusing and slightly alarming events that have occurred in ssl's history and also the actions of the CAs, where their security has been flawed and they have shown a lack of knowledge of the truth of the situation.

    the proposed solution for the man in the middle attack, for me, is to ensure that all pages of the site are encrypted. i just read how google has recently discovered (so they publicly claim anyway) that the nsa has been reading all their data internally in its unencrypted form - they now claim that they have enabled encryption of all their data internally. even serving 100% encrypted pages does not reach that level of encryption. the man in the middle issue involves where pages are http and forward to an https login, such as elgg does as its default secure login option. thus this approach is essentially useless.

    in fact, i would say that if any elgg admin truly thinks his/her's site's data must be secured he/she should close the site until it is completley served via https and then change all passwords.

    the convergence.io solution is a considerable step in the right direction, such that the authorisation process is de-centralised - certainly worth exploring.

  • the free certificate issue is also part of this, that is where i began.. and quickly saw that the issue is much bigger than just the cash.. it's also about the cache! 

  • n.b. the problem with totally running a site via https presently is that you need a 'trusted' corporate type certificate to ensure that the browser does not throw out warning pages and thus no-one will even be able to view your homepage without it.. 
    possibly a walled garden could be ok if the login page was on a 2nd page.. i'm not 100% clear on that, i need to watch some of those videos again.. i've watched 6+ hours of presentations today on mostly new-ish topics for me.